When McDonald's Gives Better Cybersecurity Advice Than Your IT Department
Thirty years. That is how long the cybersecurity industry has been lecturing people about password hygiene. Thirty years of awareness campaigns, e-learning modules, complexity policies, and mandatory training that employees click through without reading. Thirty years of “use a capital letter and a special character” and “change your password every ninety days.”
And then, in February 2026, McDonald’s Netherlands ran a single advertisement for Change Your Password Day that illustrated the problem better than all of it.
The McDonald’s Campaign
On 1 February 2026, McDonald’s Netherlands issued a press release drawing on data from Have I Been Pwned, the breach notification platform maintained by security researcher Troy Hunt. The data showed that “bigmac” had appeared in compromised password datasets 110,922 times. “Frenchfries” appeared 34,407 times. “Happymeal” 17,269 times. “Mcnuggets” 2,219 times.
The ads ran in Dutch subway stations and across digital channels. The tagline: “You’re lovin’ it. But hackers too.”
Good line. Better than most of what the security industry produces.
But here is what caught my attention: the campaign did not stop there. It also pointed out that “Ch!ck3nMcN4gg€t$” is not a secure password either. That character substitution, that trick of swapping letters for symbols and numbers, the approach that has been taught in security awareness training for two decades, does not protect you.
McDonald’s got that right. Most corporate security policies have not caught up yet.
Why 110,922 People Used “bigmac” as a Password
Before you sit back and feel superior, I want you to think about why this happened.
These are not stupid people. They are ordinary people who needed to create a password for a website, wanted something they could actually remember, and chose a word they use every day. Some of them probably thought they were being clever. Some of them used it because a previous password was rejected and they grabbed the first thing that came to mind.
This is what human beings do when you give them an unreasonable cognitive load. You cannot ask someone to memorise thirty unique, complex, rotating passwords and expect compliance. You just cannot. The brain does not work that way.
The security industry spent thirty years blaming users for being human. McDonald’s spent thirty seconds pointing out that the approach was wrong.
110,922 bigmac passwords are not a user problem. They are a policy design problem.
The Character Substitution Myth That Will Not Die
Here is something that should embarrass every security awareness training vendor that has ever sold a product to a UK SMB: the NCSC has been publicly documenting why character substitution tricks fail since at least 2016.
From the NCSC’s own guidance: enforcing complexity requirements results in the creation of more predictable passwords, not less predictable ones. Our minds cannot memorise genuinely random character strings, so we use predictable patterns instead. We swap the letter “o” for a zero. We add an exclamation mark at the end. We capitalise the first letter.
And attackers know this. Modern brute-force tools have every common substitution pattern in their dictionaries. “B1gMac”, “B!gMac”, “B1gM@c”, “B!gM@c” are all checked automatically, rapidly, without any human effort on the attacker’s part.
Complexity policies do not produce stronger passwords. They produce the illusion of stronger passwords, which is considerably worse.
McDonald’s had the good sense to include this in their campaign. Most UK IT departments have not updated their password policies accordingly.
What the NCSC Has Been Saying for Years
The NCSC’s guidance is unambiguous, and has been for some time. Three random words, combined into a single passphrase, create something that is both more memorable and more resistant to attack than a complex password generated from a single word with substitutions applied.
“Coffeetrainfish.” “Walltinshirt.” “CupFishBiro.” These are long, genuinely hard to guess, and reasonably easy to remember. They are also, crucially, not in any attacker’s dictionary, because the combination is random.
The NCSC guidance states: “The traditional password advice built around password complexity failed because it told us to do things that most of us simply cannot do.”
That is not an obscure technical blog post. That is published guidance from the UK’s national cybersecurity authority. It is freely available. Your IT team should have read it.
If your organisation still enforces complexity requirements with special characters and mandatory rotation every ninety days, you are operating on advice that the NCSC deprecated years ago. You are making your users’ lives harder without making your organisation safer.
So What Actually Works
Three things, in order of importance.
Password managers. A password manager generates genuinely random, unique passwords for every service and stores them securely. The user does not need to remember them. The password for your accounting software can be forty characters of random noise, and nobody needs to type it from memory. This is not optional advice. It is the only rational response to the scale of the credential threat.
Multi-factor authentication. Even if a password is compromised, MFA stops the attacker at the door. A stolen “bigmac” password gets an attacker nowhere if your systems require a second factor. Enable MFA on every system that supports it, starting with email and cloud storage. It is the single most effective technical control available to an SMB.
Three random words for cases where password managers cannot be used. Device login credentials, admin accounts, anything that needs to be typed manually without a manager should follow the NCSC’s three random words guidance. Long, random, and memorable.
Not complexity policies. Not mandatory ninety-day rotation, which the NCSC also advises against. Not awareness training videos that employees watch on mute while doing something else.
Technical controls that make the right thing the easy thing.
What This Means for Your Business
-
Audit your current password policy this week. If it requires complexity rules, special characters, and regular expiry, it is based on outdated guidance. Pull up the NCSC’s password administration collection and compare what you are enforcing against what they recommend. You will likely find a significant gap.
-
Choose and deploy a password manager. Bitwarden’s business tier, 1Password Teams, and Dashlane Business are all credible options with administrator controls, audit logs, and user provisioning. Budget for it. It is not expensive relative to what a credential breach will cost you.
-
Enable MFA on everything. Start with Microsoft 365, Google Workspace, and your cloud accounting platform. Work outward from there. The NCSC’s Cyber Essentials requirements specifically cover access controls. If you are targeting certification, MFA is not optional.
-
Communicate the change to your team. Do not just push out a new policy. Explain why the old one was wrong. People comply better when they understand the reasoning. “We are no longer forcing you to create complex passwords because the NCSC says it does not work and here is why” is a message that lands.
-
Run a check on Have I Been Pwned. The site allows you to check whether your corporate email domain has appeared in known breach datasets. Troy Hunt’s platform is trusted, free to use, and will give you a realistic picture of your exposure before you do anything else.
How to Turn This Into a Competitive Advantage
Most of your competitors are still running the same failed password policies they had five years ago. If you get this right, you are genuinely ahead of the majority of UK SMBs.
In regulated sectors and for businesses that handle client data, being able to demonstrate that your access controls follow current NCSC guidance is a differentiator. Procurement questionnaires increasingly ask about MFA and password management. A coherent, policy-backed answer based on NCSC standards carries weight.
If you are pursuing Cyber Essentials certification, getting your password controls right is a prerequisite. Certification is increasingly expected in public sector and NHS supply chains. Getting there faster than your competitors is a tangible business advantage, not a compliance box.
How to Sell This to Your Board
The board-level argument is straightforward.
Risk reduction: Compromised credentials are involved in the majority of data breaches. The cost of a credential-based breach, including ICO notification, regulatory response, remediation, and reputational damage, is orders of magnitude greater than the cost of deploying a password manager and enforcing MFA.
Regulatory exposure: Under UK GDPR, the ICO expects organisations to implement appropriate technical and organisational measures. Continuing to operate on password policies that contradict NCSC guidance is difficult to defend as “appropriate” if a breach occurs.
Competitive positioning: Clients and prospects increasingly assess supplier security posture before committing to contracts. Demonstrable NCSC-aligned controls answer those questions before they are asked.
The cost is minimal: A password manager for a ten-person team costs less per month than a round of coffees. MFA is free on most platforms. The IT time required to deploy both is measured in hours, not weeks.
When McDonald’s has better security communication than your IT department, the cost of doing nothing is embarrassment at best and a reportable breach at worst.
| Source | Article |
|---|---|
| McDonald’s Netherlands / PRNewswire | ’bigmac’ frequently used as a password, McDonald’s draws attention to predictable logins |
| The Register | McDonald’s is not lovin’ your bigmac, happymeal, and mcnuggets passwords |
| Have I Been Pwned | Pwned Passwords |
| NCSC | The logic behind three random words |
| NCSC | Password administration for system owners |
| NCSC | Password policy: updating your approach |
| NCSC | Three random words |
Related Posts: